Heartbleed but - does authorization matter?

Question

Ok, essentially the heartbleed bug was that openssl library was not checking the actual size of heartbeat request and was responding with an extra data giving out some memory junks trying to keep its answer of the same size as the initial request.

Did it related only to users who got authorized on a website or any malicious user having no account on that service and knowing no passwords could start fumbling? In other words do the actual users of a service had wider possibilities to use this bug than others?

Answer 1

Heartbleed but - does authorization matter?

Non-authenticated users who access a site anonymously can theoretically access any memory in the server's process space. Fortunately, it appears the attacker cannot control what area of memory he/she reads. The attacker happens to get memory around the Heartbeat Message (wherever that memory happens to be).

Authentication often occurs with passwords. Authorization usually occurs using a token or cookie. The token or cookie is a product of a successful authentication. Those secrets can be found in memory, too. Hence the reason that passwords and sessions were also reset.